search

sesh / ready

Are you production ready?
ISC License
26 stars 4 forks source link

SPF DNS record test fails if it encounters a CNAME? #21

Closed mejofi closed 5 months ago

mejofi commented 5 months ago

Version: 1.2.1

It looks like the SPF DNS record is depreciated and should not exist test fails if it encounters a CNAME, such as when a subdomain lookup yields a CNAME response instead of A/AAAA records.

I would expect this to result in either an additional lookup, following the CNAME chain until it yields a definitive response, or to recognise it as the wrong answer, perhaps checking if it's properly formatted, such as starting with v=spf1?

Example: when testing 'www.ur.nl', it fails with the following error;

[FAIL] SPF DNS record is depreciated and should not exist (['apex.datatruckers.net.'])

The answer makes sense, since it is the CNAME record;

$ dig +short -t CNAME www.ur.nl
apex.datatruckers.net.

$ dig +short -t SPF www.ur.nl
apex.datatruckers.net.

$ dig +short -t SPF apex.datatruckers.net
sesh commented 5 months ago

Interesting one. Thanks for the report.

I have updated the check to filter to only SPF records. I wasn't aware that the CNAME record would be returned when quering for SPF records.

This passes for your domain now.

I've set up a test domain (subdomain-with-spf-record.b5n.sh) that has an SPF record to test the failure.

> python3 -m ready.ready subdomain-with-spf-record.b5n.sh --request-filter=dns --check-filter=spf
Domain: subdomain-with-spf-record.b5n.sh, Domain (no path): subdomain-with-spf-record.b5n.sh, First Level Domain: b5n.sh
[FAIL] SPF DNS record is depreciated and should not exist (['"v=spf1 -all"'])
sesh commented 5 months ago

I don't mind the idea of following the CNAME chain but it's probably slightly out of scope for this check. Someone using this tool could manually check their CNAME domain for the bad SPF record.

FYI - the other SPF checks do recursively follow includes.

mejofi commented 5 months ago

Just noticed a typo in this check, by the way; 'depreciated' != 'deprecated'. Shall I file this as a separate issue?

sesh commented 5 months ago

Ooops. That's a typo / mistake that haunts me for some reason. Whenever I go to type deprecated, depreciated comes out if I'm not careful.

mejofi commented 5 months ago

Yeah, it's sneaky one 😄